diff --git a/assets/overlays/aws-ebs/generated/hypershift/kube_rbac_proxy_binding.yaml b/assets/overlays/aws-ebs/generated/hypershift/kube_rbac_proxy_binding.yaml new file mode 100644 index 000000000..2e3623bc4 --- /dev/null +++ b/assets/overlays/aws-ebs/generated/hypershift/kube_rbac_proxy_binding.yaml @@ -0,0 +1,19 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/kube_rbac_proxy_binding.yaml +# +# +# Allow kube-rbac-proxies to create tokenreviews to check Prometheus identity when scraping metrics. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ebs-kube-rbac-proxy-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ebs-kube-rbac-proxy-role +subjects: +- kind: ServiceAccount + name: aws-ebs-csi-driver-controller-sa + namespace: ${NAMESPACE} diff --git a/assets/overlays/aws-ebs/generated/hypershift/kube_rbac_proxy_role.yaml b/assets/overlays/aws-ebs/generated/hypershift/kube_rbac_proxy_role.yaml new file mode 100644 index 000000000..f2897240e --- /dev/null +++ b/assets/overlays/aws-ebs/generated/hypershift/kube_rbac_proxy_role.yaml @@ -0,0 +1,18 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/kube_rbac_proxy_role.yaml +# +# +# Allow kube-rbac-proxies to create tokenreviews to check Prometheus identity when scraping metrics. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ebs-kube-rbac-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create diff --git a/assets/overlays/aws-ebs/generated/hypershift/manifests.yaml b/assets/overlays/aws-ebs/generated/hypershift/manifests.yaml index bfd325a9f..cd08b54d8 100644 --- a/assets/overlays/aws-ebs/generated/hypershift/manifests.yaml +++ b/assets/overlays/aws-ebs/generated/hypershift/manifests.yaml @@ -6,6 +6,8 @@ controllerStaticAssetNames: - service.yaml guestStaticAssetNames: - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_attacher_binding.yaml @@ -16,6 +18,8 @@ guestStaticAssetNames: - node_privileged_binding.yaml - node_sa.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml - storageclass_gp2.yaml - storageclass_gp3.yaml - storageclass_reader_resizer_binding.yaml diff --git a/assets/overlays/aws-ebs/generated/hypershift/prometheus_binding.yaml b/assets/overlays/aws-ebs/generated/hypershift/prometheus_binding.yaml new file mode 100644 index 000000000..7b8463a89 --- /dev/null +++ b/assets/overlays/aws-ebs/generated/hypershift/prometheus_binding.yaml @@ -0,0 +1,20 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/prometheus_binding.yaml +# +# +# Grant cluster-monitoring access to the operator metrics service + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: aws-ebs-csi-driver-prometheus + namespace: ${NODE_NAMESPACE} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: aws-ebs-csi-driver-prometheus +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring diff --git a/assets/overlays/aws-ebs/generated/hypershift/prometheus_role.yaml b/assets/overlays/aws-ebs/generated/hypershift/prometheus_role.yaml new file mode 100644 index 000000000..27605c961 --- /dev/null +++ b/assets/overlays/aws-ebs/generated/hypershift/prometheus_role.yaml @@ -0,0 +1,23 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/prometheus_role.yaml +# +# +# Role for accessing metrics exposed by the operator + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: aws-ebs-csi-driver-prometheus + namespace: ${NODE_NAMESPACE} +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch diff --git a/assets/overlays/aws-ebs/generated/standalone/manifests.yaml b/assets/overlays/aws-ebs/generated/standalone/manifests.yaml index 2c4df7e1c..79a2e417b 100644 --- a/assets/overlays/aws-ebs/generated/standalone/manifests.yaml +++ b/assets/overlays/aws-ebs/generated/standalone/manifests.yaml @@ -3,14 +3,12 @@ controllerStaticAssetNames: - controller.yaml - controller_pdb.yaml - controller_sa.yaml -- kube_rbac_proxy_binding.yaml -- kube_rbac_proxy_role.yaml -- prometheus_binding.yaml -- prometheus_role.yaml - service.yaml - servicemonitor.yaml guestStaticAssetNames: - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_attacher_binding.yaml @@ -21,6 +19,8 @@ guestStaticAssetNames: - node_privileged_binding.yaml - node_sa.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml - storageclass_gp2.yaml - storageclass_gp3.yaml - storageclass_reader_resizer_binding.yaml diff --git a/assets/overlays/aws-efs/generated/standalone/manifests.yaml b/assets/overlays/aws-efs/generated/standalone/manifests.yaml index 606939a7f..f080ef071 100644 --- a/assets/overlays/aws-efs/generated/standalone/manifests.yaml +++ b/assets/overlays/aws-efs/generated/standalone/manifests.yaml @@ -5,16 +5,14 @@ controllerStaticAssetNames: - controller_privileged_binding.yaml - controller_sa.yaml - credentials.yaml -- kube_rbac_proxy_binding.yaml -- kube_rbac_proxy_role.yaml - privileged_role.yaml -- prometheus_binding.yaml -- prometheus_role.yaml - service.yaml - servicemonitor.yaml guestStaticAssetNames: - credentials-node.yaml - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_provisioner_binding.yaml @@ -22,3 +20,5 @@ guestStaticAssetNames: - node_privileged_binding.yaml - node_sa.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml diff --git a/assets/overlays/azure-disk/generated/hypershift/kube_rbac_proxy_binding.yaml b/assets/overlays/azure-disk/generated/hypershift/kube_rbac_proxy_binding.yaml new file mode 100644 index 000000000..befb645e2 --- /dev/null +++ b/assets/overlays/azure-disk/generated/hypershift/kube_rbac_proxy_binding.yaml @@ -0,0 +1,19 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/kube_rbac_proxy_binding.yaml +# +# +# Allow kube-rbac-proxies to create tokenreviews to check Prometheus identity when scraping metrics. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: azure-disk-kube-rbac-proxy-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: azure-disk-kube-rbac-proxy-role +subjects: +- kind: ServiceAccount + name: azure-disk-csi-driver-controller-sa + namespace: ${NAMESPACE} diff --git a/assets/overlays/azure-disk/generated/hypershift/kube_rbac_proxy_role.yaml b/assets/overlays/azure-disk/generated/hypershift/kube_rbac_proxy_role.yaml new file mode 100644 index 000000000..df9f6a3af --- /dev/null +++ b/assets/overlays/azure-disk/generated/hypershift/kube_rbac_proxy_role.yaml @@ -0,0 +1,18 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/kube_rbac_proxy_role.yaml +# +# +# Allow kube-rbac-proxies to create tokenreviews to check Prometheus identity when scraping metrics. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: azure-disk-kube-rbac-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create diff --git a/assets/overlays/azure-disk/generated/hypershift/manifests.yaml b/assets/overlays/azure-disk/generated/hypershift/manifests.yaml index b2e872b92..5b7cbf3e3 100644 --- a/assets/overlays/azure-disk/generated/hypershift/manifests.yaml +++ b/assets/overlays/azure-disk/generated/hypershift/manifests.yaml @@ -6,6 +6,8 @@ controllerStaticAssetNames: - service.yaml guestStaticAssetNames: - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_attacher_binding.yaml @@ -22,6 +24,8 @@ guestStaticAssetNames: - node_service.yaml - node_servicemonitor.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml - storageclass.yaml - storageclass_reader_resizer_binding.yaml - volumesnapshot_reader_provisioner_binding.yaml diff --git a/assets/overlays/azure-disk/generated/hypershift/prometheus_binding.yaml b/assets/overlays/azure-disk/generated/hypershift/prometheus_binding.yaml new file mode 100644 index 000000000..2604e1299 --- /dev/null +++ b/assets/overlays/azure-disk/generated/hypershift/prometheus_binding.yaml @@ -0,0 +1,20 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/prometheus_binding.yaml +# +# +# Grant cluster-monitoring access to the operator metrics service + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: azure-disk-csi-driver-prometheus + namespace: ${NODE_NAMESPACE} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: azure-disk-csi-driver-prometheus +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring diff --git a/assets/overlays/azure-disk/generated/hypershift/prometheus_role.yaml b/assets/overlays/azure-disk/generated/hypershift/prometheus_role.yaml new file mode 100644 index 000000000..0c2b5ef0d --- /dev/null +++ b/assets/overlays/azure-disk/generated/hypershift/prometheus_role.yaml @@ -0,0 +1,23 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/prometheus_role.yaml +# +# +# Role for accessing metrics exposed by the operator + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: azure-disk-csi-driver-prometheus + namespace: ${NODE_NAMESPACE} +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch diff --git a/assets/overlays/azure-disk/generated/standalone/manifests.yaml b/assets/overlays/azure-disk/generated/standalone/manifests.yaml index ffa9f99f3..6aeeb8605 100644 --- a/assets/overlays/azure-disk/generated/standalone/manifests.yaml +++ b/assets/overlays/azure-disk/generated/standalone/manifests.yaml @@ -3,14 +3,12 @@ controllerStaticAssetNames: - controller.yaml - controller_pdb.yaml - controller_sa.yaml -- kube_rbac_proxy_binding.yaml -- kube_rbac_proxy_role.yaml -- prometheus_binding.yaml -- prometheus_role.yaml - service.yaml - servicemonitor.yaml guestStaticAssetNames: - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_attacher_binding.yaml @@ -27,6 +25,8 @@ guestStaticAssetNames: - node_service.yaml - node_servicemonitor.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml - storageclass.yaml - storageclass_reader_resizer_binding.yaml - volumesnapshot_reader_provisioner_binding.yaml diff --git a/assets/overlays/azure-file/generated/hypershift/kube_rbac_proxy_binding.yaml b/assets/overlays/azure-file/generated/hypershift/kube_rbac_proxy_binding.yaml new file mode 100644 index 000000000..116cd030d --- /dev/null +++ b/assets/overlays/azure-file/generated/hypershift/kube_rbac_proxy_binding.yaml @@ -0,0 +1,19 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/kube_rbac_proxy_binding.yaml +# +# +# Allow kube-rbac-proxies to create tokenreviews to check Prometheus identity when scraping metrics. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: azure-file-kube-rbac-proxy-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: azure-file-kube-rbac-proxy-role +subjects: +- kind: ServiceAccount + name: azure-file-csi-driver-controller-sa + namespace: ${NAMESPACE} diff --git a/assets/overlays/azure-file/generated/hypershift/kube_rbac_proxy_role.yaml b/assets/overlays/azure-file/generated/hypershift/kube_rbac_proxy_role.yaml new file mode 100644 index 000000000..6300714d2 --- /dev/null +++ b/assets/overlays/azure-file/generated/hypershift/kube_rbac_proxy_role.yaml @@ -0,0 +1,18 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/kube_rbac_proxy_role.yaml +# +# +# Allow kube-rbac-proxies to create tokenreviews to check Prometheus identity when scraping metrics. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: azure-file-kube-rbac-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create diff --git a/assets/overlays/azure-file/generated/hypershift/manifests.yaml b/assets/overlays/azure-file/generated/hypershift/manifests.yaml index 1e243a851..bda80a547 100644 --- a/assets/overlays/azure-file/generated/hypershift/manifests.yaml +++ b/assets/overlays/azure-file/generated/hypershift/manifests.yaml @@ -8,6 +8,8 @@ guestStaticAssetNames: - csi-driver-cluster-role-binding.yaml - csi-driver-cluster-role.yaml - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_attacher_binding.yaml @@ -18,6 +20,8 @@ guestStaticAssetNames: - node_privileged_binding.yaml - node_sa.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml - storageclass.yaml - storageclass_reader_resizer_binding.yaml - volumesnapshot_reader_provisioner_binding.yaml diff --git a/assets/overlays/azure-file/generated/hypershift/prometheus_binding.yaml b/assets/overlays/azure-file/generated/hypershift/prometheus_binding.yaml new file mode 100644 index 000000000..a9ea4db9e --- /dev/null +++ b/assets/overlays/azure-file/generated/hypershift/prometheus_binding.yaml @@ -0,0 +1,20 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/prometheus_binding.yaml +# +# +# Grant cluster-monitoring access to the operator metrics service + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: azure-file-csi-driver-prometheus + namespace: ${NODE_NAMESPACE} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: azure-file-csi-driver-prometheus +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring diff --git a/assets/overlays/azure-file/generated/hypershift/prometheus_role.yaml b/assets/overlays/azure-file/generated/hypershift/prometheus_role.yaml new file mode 100644 index 000000000..5c3322a5f --- /dev/null +++ b/assets/overlays/azure-file/generated/hypershift/prometheus_role.yaml @@ -0,0 +1,23 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/prometheus_role.yaml +# +# +# Role for accessing metrics exposed by the operator + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: azure-file-csi-driver-prometheus + namespace: ${NODE_NAMESPACE} +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch diff --git a/assets/overlays/azure-file/generated/standalone/manifests.yaml b/assets/overlays/azure-file/generated/standalone/manifests.yaml index 8901c241b..9ead910b8 100644 --- a/assets/overlays/azure-file/generated/standalone/manifests.yaml +++ b/assets/overlays/azure-file/generated/standalone/manifests.yaml @@ -3,16 +3,14 @@ controllerStaticAssetNames: - controller.yaml - controller_pdb.yaml - controller_sa.yaml -- kube_rbac_proxy_binding.yaml -- kube_rbac_proxy_role.yaml -- prometheus_binding.yaml -- prometheus_role.yaml - service.yaml - servicemonitor.yaml guestStaticAssetNames: - csi-driver-cluster-role-binding.yaml - csi-driver-cluster-role.yaml - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_attacher_binding.yaml @@ -23,6 +21,8 @@ guestStaticAssetNames: - node_privileged_binding.yaml - node_sa.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml - storageclass.yaml - storageclass_reader_resizer_binding.yaml - volumesnapshot_reader_provisioner_binding.yaml diff --git a/assets/overlays/openstack-cinder/generated/hypershift/kube_rbac_proxy_binding.yaml b/assets/overlays/openstack-cinder/generated/hypershift/kube_rbac_proxy_binding.yaml new file mode 100644 index 000000000..8989743cf --- /dev/null +++ b/assets/overlays/openstack-cinder/generated/hypershift/kube_rbac_proxy_binding.yaml @@ -0,0 +1,19 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/kube_rbac_proxy_binding.yaml +# +# +# Allow kube-rbac-proxies to create tokenreviews to check Prometheus identity when scraping metrics. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: openstack-cinder-kube-rbac-proxy-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: openstack-cinder-kube-rbac-proxy-role +subjects: +- kind: ServiceAccount + name: openstack-cinder-csi-driver-controller-sa + namespace: ${NAMESPACE} diff --git a/assets/overlays/openstack-cinder/generated/hypershift/kube_rbac_proxy_role.yaml b/assets/overlays/openstack-cinder/generated/hypershift/kube_rbac_proxy_role.yaml new file mode 100644 index 000000000..fbe09d569 --- /dev/null +++ b/assets/overlays/openstack-cinder/generated/hypershift/kube_rbac_proxy_role.yaml @@ -0,0 +1,18 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/kube_rbac_proxy_role.yaml +# +# +# Allow kube-rbac-proxies to create tokenreviews to check Prometheus identity when scraping metrics. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: openstack-cinder-kube-rbac-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create diff --git a/assets/overlays/openstack-cinder/generated/hypershift/manifests.yaml b/assets/overlays/openstack-cinder/generated/hypershift/manifests.yaml index 186996d9e..3be318b1e 100644 --- a/assets/overlays/openstack-cinder/generated/hypershift/manifests.yaml +++ b/assets/overlays/openstack-cinder/generated/hypershift/manifests.yaml @@ -6,6 +6,8 @@ controllerStaticAssetNames: - service.yaml guestStaticAssetNames: - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_attacher_binding.yaml @@ -16,6 +18,8 @@ guestStaticAssetNames: - node_privileged_binding.yaml - node_sa.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml - storageclass.yaml - storageclass_reader_resizer_binding.yaml - volumesnapshot_reader_provisioner_binding.yaml diff --git a/assets/overlays/openstack-cinder/generated/hypershift/prometheus_binding.yaml b/assets/overlays/openstack-cinder/generated/hypershift/prometheus_binding.yaml new file mode 100644 index 000000000..f25c0ae99 --- /dev/null +++ b/assets/overlays/openstack-cinder/generated/hypershift/prometheus_binding.yaml @@ -0,0 +1,20 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/prometheus_binding.yaml +# +# +# Grant cluster-monitoring access to the operator metrics service + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: openstack-cinder-csi-driver-prometheus + namespace: ${NODE_NAMESPACE} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: openstack-cinder-csi-driver-prometheus +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring diff --git a/assets/overlays/openstack-cinder/generated/hypershift/prometheus_role.yaml b/assets/overlays/openstack-cinder/generated/hypershift/prometheus_role.yaml new file mode 100644 index 000000000..fc60323d7 --- /dev/null +++ b/assets/overlays/openstack-cinder/generated/hypershift/prometheus_role.yaml @@ -0,0 +1,23 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/prometheus_role.yaml +# +# +# Role for accessing metrics exposed by the operator + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: openstack-cinder-csi-driver-prometheus + namespace: ${NODE_NAMESPACE} +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch diff --git a/assets/overlays/openstack-cinder/generated/standalone/manifests.yaml b/assets/overlays/openstack-cinder/generated/standalone/manifests.yaml index bdd1e8cea..a00394edd 100644 --- a/assets/overlays/openstack-cinder/generated/standalone/manifests.yaml +++ b/assets/overlays/openstack-cinder/generated/standalone/manifests.yaml @@ -3,14 +3,12 @@ controllerStaticAssetNames: - controller.yaml - controller_pdb.yaml - controller_sa.yaml -- kube_rbac_proxy_binding.yaml -- kube_rbac_proxy_role.yaml -- prometheus_binding.yaml -- prometheus_role.yaml - service.yaml - servicemonitor.yaml guestStaticAssetNames: - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_attacher_binding.yaml @@ -21,6 +19,8 @@ guestStaticAssetNames: - node_privileged_binding.yaml - node_sa.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml - storageclass.yaml - storageclass_reader_resizer_binding.yaml - volumesnapshot_reader_provisioner_binding.yaml diff --git a/assets/overlays/openstack-manila/generated/hypershift/kube_rbac_proxy_binding.yaml b/assets/overlays/openstack-manila/generated/hypershift/kube_rbac_proxy_binding.yaml new file mode 100644 index 000000000..80b7b47d2 --- /dev/null +++ b/assets/overlays/openstack-manila/generated/hypershift/kube_rbac_proxy_binding.yaml @@ -0,0 +1,19 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/kube_rbac_proxy_binding.yaml +# +# +# Allow kube-rbac-proxies to create tokenreviews to check Prometheus identity when scraping metrics. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: openstack-manila-kube-rbac-proxy-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: openstack-manila-kube-rbac-proxy-role +subjects: +- kind: ServiceAccount + name: manila-csi-driver-controller-sa + namespace: ${NAMESPACE} diff --git a/assets/overlays/openstack-manila/generated/hypershift/kube_rbac_proxy_role.yaml b/assets/overlays/openstack-manila/generated/hypershift/kube_rbac_proxy_role.yaml new file mode 100644 index 000000000..7438bf1c6 --- /dev/null +++ b/assets/overlays/openstack-manila/generated/hypershift/kube_rbac_proxy_role.yaml @@ -0,0 +1,18 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/kube_rbac_proxy_role.yaml +# +# +# Allow kube-rbac-proxies to create tokenreviews to check Prometheus identity when scraping metrics. + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: openstack-manila-kube-rbac-proxy-role +rules: +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create diff --git a/assets/overlays/openstack-manila/generated/hypershift/manifests.yaml b/assets/overlays/openstack-manila/generated/hypershift/manifests.yaml index 204364ac9..147d0438f 100644 --- a/assets/overlays/openstack-manila/generated/hypershift/manifests.yaml +++ b/assets/overlays/openstack-manila/generated/hypershift/manifests.yaml @@ -6,6 +6,8 @@ controllerStaticAssetNames: - service.yaml guestStaticAssetNames: - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_provisioner_binding.yaml @@ -16,6 +18,8 @@ guestStaticAssetNames: - node_privileged_binding.yaml - node_sa.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml - storageclass_reader_resizer_binding.yaml - volumesnapshot_reader_provisioner_binding.yaml - volumesnapshotclass.yaml diff --git a/assets/overlays/openstack-manila/generated/hypershift/prometheus_binding.yaml b/assets/overlays/openstack-manila/generated/hypershift/prometheus_binding.yaml new file mode 100644 index 000000000..b0d452a8c --- /dev/null +++ b/assets/overlays/openstack-manila/generated/hypershift/prometheus_binding.yaml @@ -0,0 +1,20 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/prometheus_binding.yaml +# +# +# Grant cluster-monitoring access to the operator metrics service + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: manila-csi-driver-prometheus + namespace: ${NODE_NAMESPACE} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: manila-csi-driver-prometheus +subjects: +- kind: ServiceAccount + name: prometheus-k8s + namespace: openshift-monitoring diff --git a/assets/overlays/openstack-manila/generated/hypershift/prometheus_role.yaml b/assets/overlays/openstack-manila/generated/hypershift/prometheus_role.yaml new file mode 100644 index 000000000..5a996effe --- /dev/null +++ b/assets/overlays/openstack-manila/generated/hypershift/prometheus_role.yaml @@ -0,0 +1,23 @@ +# Generated file. Do not edit. Update using "make update". +# +# Loaded from base/rbac/prometheus_role.yaml +# +# +# Role for accessing metrics exposed by the operator + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: manila-csi-driver-prometheus + namespace: ${NODE_NAMESPACE} +rules: +- apiGroups: + - "" + resources: + - services + - endpoints + - pods + verbs: + - get + - list + - watch diff --git a/assets/overlays/openstack-manila/generated/standalone/manifests.yaml b/assets/overlays/openstack-manila/generated/standalone/manifests.yaml index baac27210..4a45329e7 100644 --- a/assets/overlays/openstack-manila/generated/standalone/manifests.yaml +++ b/assets/overlays/openstack-manila/generated/standalone/manifests.yaml @@ -3,14 +3,12 @@ controllerStaticAssetNames: - controller.yaml - controller_pdb.yaml - controller_sa.yaml -- kube_rbac_proxy_binding.yaml -- kube_rbac_proxy_role.yaml -- prometheus_binding.yaml -- prometheus_role.yaml - service.yaml - servicemonitor.yaml guestStaticAssetNames: - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_provisioner_binding.yaml @@ -21,6 +19,8 @@ guestStaticAssetNames: - node_privileged_binding.yaml - node_sa.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml - storageclass_reader_resizer_binding.yaml - volumesnapshot_reader_provisioner_binding.yaml - volumesnapshotclass.yaml diff --git a/assets/overlays/samba/generated/standalone/manifests.yaml b/assets/overlays/samba/generated/standalone/manifests.yaml index 5ab392a0a..3cdc5a856 100644 --- a/assets/overlays/samba/generated/standalone/manifests.yaml +++ b/assets/overlays/samba/generated/standalone/manifests.yaml @@ -14,6 +14,8 @@ guestStaticAssetNames: - csi-driver-cluster-role-binding.yaml - csi-driver-cluster-role.yaml - csidriver.yaml +- kube_rbac_proxy_binding.yaml +- kube_rbac_proxy_role.yaml - lease_leader_election_binding.yaml - lease_leader_election_role.yaml - main_provisioner_binding.yaml @@ -22,4 +24,6 @@ guestStaticAssetNames: - node_privileged_binding.yaml - node_sa.yaml - privileged_role.yaml +- prometheus_binding.yaml +- prometheus_role.yaml - storageclass_reader_resizer_binding.yaml diff --git a/pkg/driver/common/generator/base_assets.go b/pkg/driver/common/generator/base_assets.go index 8b385381b..a547f7449 100644 --- a/pkg/driver/common/generator/base_assets.go +++ b/pkg/driver/common/generator/base_assets.go @@ -20,12 +20,6 @@ var ( "base/cabundle_cm.yaml", "base/controller_sa.yaml", "base/controller_pdb.yaml", - ).WithAssets(generator.StandaloneOnly, - // TODO: figure out metrics in hypershift - it's probably a different Prometheus there - "base/rbac/kube_rbac_proxy_role.yaml", - "base/rbac/kube_rbac_proxy_binding.yaml", - "base/rbac/prometheus_role.yaml", - "base/rbac/prometheus_binding.yaml", ) // DefaultNodeAssets contains assets that most CSI drivers need to run in the guest cluster (or in standalone OCP). DefaultNodeAssets = generator.NewAssets(generator.AllFlavours, @@ -35,6 +29,11 @@ var ( // The controller Deployment runs leader election in the GUEST cluster "base/rbac/lease_leader_election_role.yaml", "base/rbac/lease_leader_election_binding.yaml", + // Prometheus metrics should be available in the GUEST cluster + "base/rbac/kube_rbac_proxy_role.yaml", + "base/rbac/kube_rbac_proxy_binding.yaml", + "base/rbac/prometheus_role.yaml", + "base/rbac/prometheus_binding.yaml", ) // DefaultAssetPatches contains patches that most CSI drivers need applied to their control plane assets. It adds